Description
A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and write files with arbitrary data on the target machine.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
Low
Availability (Vulnerable System)
High
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
Low
Availability (Subsequent System)
Low
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
High
Affected products
- AutomationDirect / Productivity 1000 P1-540 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 1000 P1-550 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 2000 P2-550 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 2000 P2-622 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 3000 P3-530 CPU0 – SW v4.4.1.19
- AutomationDirect / Productivity 3000 P3-550E CPU0 – SW V4.2.1.9
- AutomationDirect / Productivity 3000 P3-622 CPU0 – SW V4.2.1.9
- AutomationDirect / Productivity Suite0 – SW V4.2.1.9
References
- VENDOR_ADVISORYhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01
- MISChttps://www.automationdirect.com/support/software-downloads
- MISChttps://support.automationdirect.com/docs/securityconsiderations.pdf
- MISChttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json